Common Entities

Bucket and Host Name

There are two different modes of accessing the buckets. The first (preferred) method identifies the bucket as the top-level directory in the URI.

GET /mybucket HTTP/1.1


The second method identifies the bucket via a virtual bucket host name. For example:

GET / HTTP/1.1


Common Request Headers

Request Header Description
CONTENT_LENGTH Length of the request body.
DATE Request time and date (in UTC).
HOST The name of the host server.
AUTHORIZATION Authorization token.

Common Response Status

HTTP Status Response Code
100 Continue
200 Success
201 Created
202 Accepted
204 NoContent
206 Partial content
304 NotModified
400 InvalidArgument
400 InvalidDigest
400 BadDigest
400 InvalidBucketName
400 InvalidObjectName
400 UnresolvableGrantByEmailAddress
400 InvalidPart
400 InvalidPartOrder
400 RequestTimeout
400 EntityTooLarge
403 AccessDenied
403 UserSuspended
403 RequestTimeTooSkewed
404 NoSuchKey
404 NoSuchBucket
404 NoSuchUpload
405 MethodNotAllowed
408 RequestTimeout
409 BucketAlreadyExists
409 BucketNotEmpty
411 MissingContentLength
412 PreconditionFailed
416 InvalidRange
422 UnprocessableEntity
500 InternalError

Authentication and ACLs

Requests to the S3 can be either authenticated or unauthenticated. S3 assumes unauthenticated requests are sent by an anonymous user. S3 supports canned ACLs.


Authenticating a request requires including an access key and a Hash-based Message Authentication Code (HMAC) in the request before it is sent to the S3 server.

PUT /buckets/bucket/object.mpeg HTTP/1.1

Date: Mon, 2 Jan 2012 00:01:01 +0000
Content-Encoding: mpeg
Content-Length: 9999999
Authorization: {ключ-доступа}:{хэш-сумма-запроса-по-определенным правилам подписанная секретным ключом}

In the foregoing example, replace {access-key} with the value for your access key ID followed by a colon (:). Replace {hash-of-header-and-secret} with a hash of the header string and the secret corresponding to the access key ID.

To generate the hash of the header string and secret, you must: * Get the value of the header string. * Normalize the request header string into canonical form. * Generate an HMAC using a SHA-1 hashing algorithm. * Encode the hmac result as base-64.

To normalize the header into canonical form: * Get all fields beginning with x-amz-. * Ensure that the fields are all lowercase. * Sort the fields lexicographically. * Combine multiple instances of the same field name into a single field and separate the field values with a comma. * Replace white space and line breaks in field values with a single space. * Remove white space before and after colons. * Append a new line after each field. * Merge the fields back into the header.

Replace the {hash-of-header-and-secret} with the base-64 encoded HMAC string.

Access Control Lists (ACLs)

An ACL is a list of access grants that specify which operations a user can perform on a bucket or on an object.

Each grant has a different meaning when applied to a bucket versus applied to an object:

Permission Bucket Object
READ Grantee can list the objects in the bucket. Grantee can read the object.
WRITE Grantee can write or delete objects in the bucket. N/A
READ_ACP Grantee can read bucket ACL. Grantee can read the object ACL.
WRITE_ACP Grantee can write bucket ACL. Grantee can write to the object ACL.
FULL_CONTROL Grantee has full permissions for object in the bucket. Grantee can read or write to the object ACL.